Hashed Message Authentication Code (HMAC)

A hashed message authentication code (HMAC) is a message authentication code that makes use of a cryptographic key along with a hash function. The actual algorithm behind a hashed message authentication code is complicated, with hashing being performed twice. This helps in resisting some forms of cryptographic analysis. A hashed message authentication code is considered to be more secure than other similar message authentication codes, as the data transmitted and key used in the process are hashed separately.

Techopedia explains Hashed Message Authentication Code (HMAC)

Similar to other message authentication codes, a hashed message authentication code can simultaneously verify the authentication of the message and data integrity associated with it. The size of the secret key used determines the cryptographic strength of the hashed message authentication code. A hashed message authentication code can make use of iterative cryptographic hash functions such as SHA-1 and MD-5 along with the secret key. The hashed message authentication code provides a public and private key to both the server and the client. Although the public key is known, the private key is only known to the specific client and server. The whole process starts with the client creating a unique hashed message authentication code based on the data requested and hashing the requested data along with a private key. This is sent as part of the request to the server, which in turn compares the two hashed message authentication codes, and if found equal, allows for the client to be trusted and the request to be executed. The whole process is also known as a secret handshake.

One of the key benefits of the hashed message authentication code is that it is less affected by collisions and is considered as brute force to obtain the secret cryptographic key. Hashed message authentication code provides a convenient technique to verify whether the data has been tampered with and the authenticity of the user.

However, one drawback associated with hashed message authentication code is the absence of any privacy, which can also be obtained with full encryption.

Related White Papers

Indications of Compromise
- A recent study investigated the cybersecurity preparedness of 400 SMBs and enterprises across the US and the UK. The survey revealed unsettling overconfidence among respondents that a major breach or attack won’t happen to them.